Single Sign-On Implementation Guide - Sign-On Implementation Guide Salesforce, ... single sign-on settings, ... system administrators receive

  • View
    218

  • Download
    5

Embed Size (px)

Transcript

  • Single Sign-On ImplementationGuide

    Salesforce, Summer 16

    @salesforcedocsLast updated: July 26, 2016

    https://twitter.com/salesforcedocs

  • Copyright 20002016 salesforce.com, inc. All rights reserved. Salesforce is a registered trademark of salesforce.com, inc.,as are other names and marks. Other marks appearing herein may be trademarks of their respective owners.

  • CONTENTS

    Single Sign-On . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

    About SAML . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

    Configuring SAML Settings for Single Sign-On . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

    Working With Your Identity Provider . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8Identity Provider Values . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9Customize SAML Start, Error, Login, and Logout Pages . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13Example SAML Assertions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

    Viewing Single Sign-On Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

    Validating SAML Settings for Single Sign-On . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

    SAML Assertion Validation Errors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

    Reviewing the SAML Login History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

    About Just-in-Time Provisioning for SAML . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

    Just-in-Time Provisioning Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30Just-in-Time Provisioning for Portals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32Just-in-Time Provisioning for Communities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35Just-in-Time Provisioning Errors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

    Best Practices for Implementing Single Sign-On . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

    Enable Single Sign-On for Portals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

    Understanding Delegated Authentication Single Sign-On . . . . . . . . . . . . . . . . . . . . . . 45

    Configuring Salesforce for Delegated Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

    Sample Delegated Authentication Implementations . . . . . . . . . . . . . . . . . . . . . . . . . . 48

    Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

    Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

  • SINGLE SIGN-ON

    EDITIONS

    Available in: both SalesforceClassic and LightningExperience

    Federated Authentication isavailable in: All Editions

    Delegated Authentication isavailable in: Professional,Enterprise, Performance,Unlimited, Developer, andDatabase.com Editions

    Authentication Providers areavailable in: Professional,Enterprise, Performance,Unlimited, and DeveloperEditions

    USER PERMISSIONS

    To view the settings: View Setup and

    Configuration

    To edit the settings: Customize Application

    AND

    Modify All Data

    Single sign-on allows users to access all authorized network resources without having to log inseparately to each resource. You validate usernames and passwords against your corporate userdatabase or other client application rather than having separate user passwords managed bySalesforce.

    Salesforce offers the following ways to use single sign-on:

    Federated authentication using Security Assertion Markup Language (SAML) allows you to sendauthentication and authorization data between affiliated but unrelated Web services. Thisenables you to sign on to Salesforce from a client application. Federated authentication usingSAML is enabled by default for your organization.

    Delegated authentication single sign-on enables you to integrate Salesforce with anauthentication method that you choose. This enables you to integrate authentication with yourLDAP (Lightweight Directory Access Protocol) server, or perform single sign-on by authenticatingusing a token instead of a password. You manage delegated authentication at the permissionlevel, allowing some users to use delegated authentication, while other users continue to usetheir Salesforce-managed password. Delegated authentication is set by permissions, not byorganization.

    The primary reasons for using delegated authentication include:

    Using a stronger type of user authentication, such as integration with a secure identityprovider

    Making your login page private and accessible only behind a corporate firewall

    Differentiating your organization from all other companies that use Salesforce in order toreduce phishing attacks

    You must request that this feature be enabled by Salesforce. Contact Salesforce to enabledelegated authentication single sign-on for your organization.

    Authentication providers let your users log in to your Salesforce organization using their logincredentials from an external service provider. Salesforce supports the OpenId Connect protocolthat allows users to log in from any OpenID provider such as Google, PayPal, LinkedIn and otherservices supporting OpenID Connect. When authentication providers are enabled, Salesforcedoes not validate a users password. Instead, Salesforce uses the users login credentials from the external service provider to establishauthentication credentials.

    When you have an external identity provider, and configure single sign-on for your Salesforce organization, Salesforce is then acting asa service provider. You can also enable Salesforce as an identity provider, and use single sign-on to connect to a different service provider.Only the service provider needs to configure single sign-on.

    The Single Sign-On Settings page displays which version of single sign-on is available for your organization. To learn more about thesingle sign-on settings, see Configuring SAML Settings for Single Sign-On. For more information about SAML and Salesforce security,see the Security Implementation Guide.

    Benefits of Single Sign-On

    Implementing single sign-on can offer the following advantages to your organization:

    1

    https://help.salesforce.com/apex/HTViewHelpDoc?id=identity_provider_about.htm&language=en_UShttps://resources.docs.salesforce.com/202/latest/en-us/sfdc/pdf/salesforce_security_impl_guide.pdf

  • Reduced Administrative Costs: With single sign-on, users only need to memorize a single password to access both networkresources or external applications and Salesforce. When accessing Salesforce from inside the corporate network, users are loggedin seamlessly, without being prompted to enter a username or password. When accessing Salesforce from outside the corporatenetwork, the users corporate network login works to log them in. With fewer passwords to manage, system administrators receivefewer requests to reset forgotten passwords.

    Leverage Existing Investment: Many companies use a central LDAP database to manage user identities. By delegating Salesforceauthentication to this system, when a user is removed from the LDAP system, they can no longer access Salesforce. Consequently,users who leave the company automatically lose access to company data after their departure.

    Time Savings: On average, a user takes five to 20 seconds to log in to an online application; longer if they mistype their usernameor password and are prompted to reenter them. With single sign-on in place, the need to manually log in to Salesforce is avoided.These saved seconds add up to increased productivity.

    Increased User Adoption: Due to the convenience of not having to log in, users are more likely to use Salesforce on a regular basis.For example, users can send email messages that contain links to information in Salesforce such as records and reports. When therecipients of the email message click the links, the corresponding Salesforce page opens automatically.

    Increased Security: Any password policies that you have established for your corporate network will also be in effect for Salesforce.In addition, sending an authentication credential that is only valid for a single use can increase security for users who have accessto sensitive data.

    2

    Single Sign-On

  • About SAML

    EDITIONS

    Available in: both SalesforceClassic and LightningExperience

    Federated Authentication isavailable in: All Editions

    Delegated Authentication isavailable in: Professional,Enterprise, Performance,Unlimited, Developer, andDatabase.com Editions

    Authentication Providers areavailable in: Professional,Enterprise, Performance,Unlimited, and DeveloperEditions

    USER PERMISSIONS

    To view the settings: View Setup and

    Configuration

    To edit the settings: Customize Application

    AND

    Modify All Data

    Security Assertion Markup Language (SAML) is an XML-based standard that allows you tocommunicate authentication decisions between one service and another. It underlies many Websingle sign-on solutions. Salesforce supports SAML for single sign-on into Salesforce from a corporateportal or identity provider.

    Much of the work to set up single sign-on using